The need to secure databases isn't new, but with the rapid growth of multivendor, multi-instance database environments, it's becoming increasingly difficult for companies to tell whether queries are coming from authorized applications and users, or from unauthorized snoops or even malicious attackers.

Companies also are owning up to long-standing security blind spots, such as database administrators who play multiple roles, viewed as one part system administrator, one part developer. These privileged super-users work with sensitive data frequently, and with that freedom comes the potential for accidental or intentional abuse.

One of the most promising technologies for staying on top of this state of affairs is database activity monitoring, or DAM. These systems let companies monitor database events, in real time if they want, in hopes of responding to unauthorized activity. Some DAM products provide features for privileged-user monitoring and basic database auditing, two areas that have been underserved.

These products are still expensive; appliances run $25,000 to $50,000 each, while agent-based offerings cost $5,000 to $25,000 per database. There are tough architectural decisions to be made, especially for distributed enterprises. Expect some turf warfare among database, network, and security teams. But seeing as our databases are increasingly attack targets, a DAM system might be worth the investment.

DAM products monitor SQL activity in real time across multiple database platforms and generate alerts based on policy violations. The systems can aggregate and to some degree correlate activity from multiple database products, including Microsoft SQL Server and Oracle. Some products also provide the additional benefit of monitoring and storing records of activity outside the target databases, which can come in handy if the systems housing those databases are compromised.

Three Categories Of DAM

Systems can be grouped into three categories: Network monitoring, local agent monitoring, and remote monitoring.

Network monitoring products are typically appliances. With them, you need to consider if you want to do active or passive network monitoring.

In an active or inline setup, the appliance sits between the target database and the network infrastructure, and all SQL activity passes through the appliance before it reaches the database server. The DAM appliance looks for policy violations using pre-set rules, very similar to how intrusion-prevention systems work, with similar trade-offs. An active model lets IT go beyond just auditing and monitoring to proactively putting a halt to questionable activities. The downside is that it can hurt database performance, limit database scalability, and potentially disrupt service with false positives.

Welcome to
TechWeb, the IT professional's online resource for news coverage of the
information technology industry. We know technology news. Our mobile
and wireless news coverage moves as fast as wireless technology itself.
We follow all the devices you depend on to stay connected. Our software
coverage follows the multi-faceted software industry from every angle.
We've got a lock on network security and computer security issues.
We're all over the business of the Web--the Internet business--and the
engines that run it. We have our eyes and ears tuned to the players who
make and run the tools that tie us all together--Google, Microsoft,
eBay, Cisco, Yahoo, Oracle, Apple, Sony--and scores of others. And we
keep close tabs on the backbone of information technology, PC hardware.
We know PCs and Apple computers inside and out. We cover computer
technology, computer news, software news, search engine news, business
software, operating systems, and software development. Our coverage of
tech news includes a strong focus on the security business, its
attendant spyware and viruses, how security relates to wireless
technology and business networking and the security issues surrounding
RFID technology. We closely follow developments in Internet news and
Internet technology, including the spread of broadband and its effect
on Web browsers and the Web business. We watch the VoIP business, and
how VoIP technology is affecting the state of telephony in the
enterprise. And if all that isn't enough, we also track developments in
the IT industry that affect IT jobs, IT careers, and outsourcing.